chore: add uv supply-chain hardening and enforce locked installs

vinta · claude · vinta · commit 0bf9522e5d90 · 2026-04-22T02:21:48.000+08:00
- Set exclude-newer to 3 days and only-binary/:all: in pyproject.toml to
  limit dependency freshness window and block source builds
- Switch uv sync to --locked in Makefile, ci.yml, and deploy-website.yml
  to enforce the lockfile rather than re-resolving on each install
- Regenerate uv.lock with exclude-newer snapshot recorded

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -24,7 +24,7 @@ jobs:
           enable-cache: true
 
       - name: Install dependencies
-        run: uv sync --group build
+        run: uv sync --group build --locked
 
       - name: Run tests
         run: make test
diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml
@@ -31,7 +31,7 @@ jobs:
           enable-cache: true
 
       - name: Install dependencies
-        run: uv sync --group build
+        run: uv sync --group build --locked
 
       - name: Run tests
         if: github.event_name == 'schedule'
diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@
 export
 
 install:
-	uv sync
+	uv sync --locked
 
 fetch_github_stars:
 	uv run python website/fetch_github_stars.py
diff --git a/pyproject.toml b/pyproject.toml
@@ -29,3 +29,10 @@ pythonpath = ["website"]
 
 [tool.ruff]
 line-length = 200
+
+[tool.uv]
+exclude-newer = "3 days"
+no-build = true
+
+[tool.uv.pip]
+only-binary = [":all:"]
diff --git a/uv.lock b/uv.lock
